Parent

Methods

Class/Module Index [+]

Quicksearch

Rex::Exploitation::EncryptJS

Encrypts javascript code

Public Class Methods

encrypt(js, key) click to toggle source

Encrypts a javascript string.

Encrypts a javascript string via XOR using a given key. The key must be passed to the executed javascript so that it can decrypt itself. The provided loader gets the key from "location.search.substring(1)"

This should bypass any detection of the file itself as information not part of the file is needed to decrypt the original javascript code.

Example: <code> js = <<ENDJS

function say_hi() {
    var foo = "Hello, world";
    document.writeln(foo);
}

ENDJS key = 'secret' js_encrypted = EncryptJS.encrypt(js, key) </code>

You might use something like this in exploit modules to pass the key to the javascript <code> if (!request.uri.match(/?w+/))

send_local_redirect(cli, "?#{@key}")
return

end </code>

# File lib/rex/exploitation/encryptjs.rb, line 43
def self.encrypt(js, key)
        js.gsub!(/[\r\n]/, '')

        encoded = Rex::Encoding::Xor::Generic.encode(js, key)[0].unpack("H*")[0]

        # obfuscate the eval call to circumvent generic detection
        eval = 'eval'.split(//).join(Rex::Text.rand_text_alpha(rand(5)).upcase)
        eval_call = 'window["' + eval + '".replace(/[A-Z]/g,"")]'

        js_loader = Rex::Exploitation::ObfuscateJS.new                 var exploit = '#{encoded}';                var encoded = '';                for (i = 0;i<exploit.length;i+=2) {                        encoded += String.fromCharCode(parseInt(exploit.substring(i, i+2), 16));                }                var pass = location.search.substring(1);                var decoded = '';                for (i=0;i<encoded.length;i++) {                        decoded += String.fromCharCode(encoded.charCodeAt(i) ^ pass.charCodeAt(i%pass.length));                }                #{eval_call}(decoded);

        js_loader.obfuscate(
                'Symbols' => {
                        'Variables' => [ 'exploit', 'encoded', 'pass', 'decoded' ],
                },
                'Strings' => false
        )
end

[Validate]

Generated with the Darkfish Rdoc Generator 2.